# Authentication

### Introduction to Authentication

In order to securely access the API endpoints, developers must authenticate their requests using OAuth 2.0. Our API uses the Client Credentials flow, a protocol designed for server-to-server interactions where a client application needs to authenticate with the API directly.

### OAuth 2.0 Overview

To begin, you will be issued a `Client ID` and a `Client Secret`, which serve as your credentials. These credentials must be kept secure, as they allow your application to obtain an access token.

### Generating a Bearer Token

To authenticate, you need to generate a Bearer Token by making a POST request to the following endpoint:

{% embed url="<https://app.surveysphere.co.uk/connect/token>" %}

**Request Parameters**

Your request should include the following parameters:

* **grant\_type:** Set this to `client_credentials`.
* **client\_id:** Your issued Client ID.
* **client\_secret:** Your issued Client Secret.

**Example Request**

Here is an example of how to generate a Bearer Token:

```http
POST https://app.surveysphere.co.uk/connect/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&client_id=your_client_id&client_secret=your_client_secret
```

**Response**

A successful response will return a JSON object containing the Bearer Token:

```json
{
  "access_token": "your_generated_token",
  "token_type": "Bearer",
  "expires_in": 3600
}

```

### Using the Bearer Token

Once you have obtained the Bearer Token, include it in the Authorization header of your API requests:

```http
Authorization: Bearer your_generated_token
```

### Bearer Token Expiry

The Bearer Token is valid for 60 minutes. After this period, you will need to generate a new token by repeating the authentication process. To ensure uninterrupted access to the API, third-party applications should implement logic to automatically renew the Bearer Token before or immediately after it expires.&#x20;

This authentication mechanism ensures that only authorized applications can access the API, helping to secure the data and functionality provided by the API.